Let’s Encrypt + Plesk

Let’s encrypt issues SSL-Certificates for free – meanwhile most Systems trust their CA. Let’s Encrypt features a CLI to request, update and install certificates – which work’s nicely as long as your server’s setup is compatible. A Plesk based setup, however, is not.

Luckily, Plesk features it’s own CLI – so let’s make a short script to renew and update certificates. Here’s the script, I’ll explain later. It requires Let’s Encrypt’s “certbot” to be installed in $HOME.

The script has a short configuration section at the top, most notably the domains you want to work on. They are give in a string array, containing the domain name given first when registering a certificate with LetsEncrypt as the first token, and all sub domains you want to secure with the same certificate separated with spaces. More precisely: Let’s encrypt stores your certificates into /etc/letsencrypt/live/<domain>, the first token is used to generate this path. I recommend using your domain without any subdomain for this purpose, i.e. “domain.tld sub.domain.tld sub2.domain.tld”. To achieve this, when calling lestencrypt-auto, give this domain as the first one, i.e.

This, of course, requires your domains to be set up in Plesk the same way, i.e. in Plesk, domains with the names “domain.tld”, “sub.domain.tld” and “sub2.domain.tld” must exist. The Plesk-CLI commands used to register and setup are:

If you want your IP-Adresses given a default certificate, you should set both IP-Adress variables AND the “main domain” setting. The script will look for a certificate issued for this domain, register it in the admin’s repositiry and the assign it to both addresses. The respective commands issued are:

If you want your email communication to be secured with your Lets Encrypt certificates, you have to request a certificate for your “main domain” that includes your MX subdomain. For example, if “main domain” is set to “example.com” and MX for this domain is “mail.example.com”, your certificate must include this subdomain. Securing a Plesk-based system’s email with your own SSL-Certificates has been described by Jay Versluis on wpguru.co.uk, and I simply scripted his approach.